VK Cloud logo
Updated atMarch 20, 2024   06:18 AM

Configuring allowed repositories

With Gatekeeper you can set a constraint that requires only allowed repositories to be used to download images. For example, this constraint can be useful if company policies require downloading images only from trusted repositories, so that cluster operators do not accidentally run an untrusted application from an untrusted source.

To demostrate how Gatekeeper works several objects will be created:

  • A constraint template and its corresponding constraint. It will only allow images to be downloaded from the Docker Hub repository.
  • A few Kubernetes resources to test how the constraint works.

Preparatory steps

  1. Create a Kubernetes cluster of the most current version.

    Choose the cluster parameters at your own discretion.

  2. Make sure that you can connect to the cluster with kubectl.

Create a constraint that checks the repositories

  1. Create a constraint template:

    1. Create a constraint template manifest.

      Use the contents of this file. This is a ready-made template K8sAllowedRepos from the Gatekeeper library, which checks that images are only downloaded from trusted repositories.

    2. Create a constraint template based on the template manifest:

      kubectl apply -f template.yaml
  2. Create a constraint:

    1. Create a constraint manifest constraint based on the template you created earlier:

    2. Create a constraint based on the constraint manifest:

      kubectl apply -f constraint.yaml
  3. Make sure that the constraint template and the constraint have been successfully created by running the command:

    kubectl get constraints,constrainttemplates

    Output should give you the similar information:

    1NAME                                                          ENFORCEMENT-ACTION TOTAL-VIOLATIONS
    2k8sallowedrepos.constraints.gatekeeper.sh/require-docker-hub  ...                ...
    3
    4NAME                                                          AGE
    5constrainttemplate.templates.gatekeeper.sh/k8sallowedrepos    ...
  4. Test the restriction by trying to create several pods:

    1. Create a manifest for the pod:

    2. Try to create a pod based on the manifest:

      kubectl apply -f example-allowed.yaml

      The operation should be completed successfully.

    3. Make sure that the pod has been successfully created by running the command:

      kubectl get pod allowed-pod

      Output should give you the similar information:

      1NAME          READY   STATUS    RESTARTS   AGE
      2allowed-pod   1/1     Running   ...        ...

Delete unused resources

  1. If the Kubernetes resources you created are no longer needed, delete them.

    1kubectl delete pod allowed-pod
    2kubectl delete k8sallowedrepos.constraints.gatekeeper.sh/require-docker-hub
    3kubectl delete constrainttemplate.templates.gatekeeper.sh/k8sallowedrepos
  2. A running cluster consumes computing resources. If you no longer need it: